HIPAA Violation Cases

Detailed here is a summary of all HIPAA violation cases that have lead to in settlements with the Department of Health and Human Services’ Office for Civil Rights (OCR), incorporating actions that have been pursued by OCR after possible HIPAA violations were discovered during data breach reviews, and investigations of complaints filed by patients and healthcare workers.

OCR has enhanced its enforcement activities recently, with more HIPAA violation cases leading to financial penalties, including settlements and civil monetary fines.

In growing its enforcement activity, OCR is sharing a message to all covered entities, large and small, that breaches of HIPAA Rules will not go unpunished.

What are the Penalties for Breaching HIPAA?

The consequences of violating HIPAA can be massive and it is crucial to remember fines for a HIPAA violation can be applied by the HHS’ Office for Civil Rights (OCR) even if no breach of PHI has taken place. The financial consequences of breaching HIPAA are calculated based on the level of negligence and – if a breach has taken place – the number of records that may have been exposed by the breach and the risk posed by the unauthorized sharing:

  • A violation of HIPAA attributable to ignorance can lead to a fine of $100 – $50,000.
  • A violation that occurred despite reasonable vigilance lead to a fine of $1,000 – $50,000.
  • A violation that occurred due to willful neglect which is corrected within thirty days will lead to a fine of between $10,000 and $50,000.
  • A violation due to willful neglect which is not addressed within thirty days will lead to the maximum fine of $50,000.

The figures here are the fines that can be issued by OCR. Attorney Generals can also sanction fines if a breach of PHI breaches state legislation; and – if it can be shown that an individual has suffered harm due to the negligence of a Covered Entity or Business Associate – it is also possible for the individual to submit a civil legal action for compensation. In some jurisdictions, the extent of punitive damages awarded could far outweigh the maximum $1.5 million fine (per violation) that can be applied by the OCR.

2018 HIPAA Violation Cases

Cottage Health – Exposure of ePHI Over Internet

OCR agreed to settle a number of alleged HIPAA violations with Cottage Health for $3,000,000. In 2013 and 2015, protections on servers were accidentally deleted and files containing ePHI could be accessed over the internet without the requirement for a username or password. The ePHI of 62,500 patients was exposed. OCR found risk analysis failures, risk management failures, a failure to carry out technical and non-technical evaluations following environmental or operational changes, and the disclosure of ePHI to a contractor without first completing into a business associate agreement. 

Pagosa Springs Medical Center – Failure to Turn Off Employee Access

OCR fined Pagosa Springs Medical Center $111,400 for not turning off a former employee’s access to a web-based scheduling calendar, which lead to an impermissible disclosure of 557 patients’ ePHI. The medical center had also failed to complete a BAA with a business associate.

Advanced Care Hospitalists – Numerous Compliance Failures Resulting in PHI Breaches

An OCR review into an impermissible disclosure of 9,255 individuals’ PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, discovered major HIPAA compliance failures including a lack of a BAA, insufficient security measures to safeguard ePHI, and no documentation proving there had been any HIPAA compliance efforts before April 1, 2014. A settlement of $500,000 was agreed to resolve the alleged HIPAA breaches.

Allergy Associates of Hartford – Sharing PHI with Reporter

OCR examined a complaint about an impermissible disclosure of a patient’s PHI to a journalist. OCR confirmed that PHI had been shared without permission from the patient and that there had been no penalties against the physician responsible, despite being warned in advance not to share any PHI. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. 

What is Texas HB 300?

What is Texas HB 300, who must adhere comply with the legislation, and what are the possible punishments for noncompliance? This post addresses these and other important questions about Texas HB 300.

What is Texas HB 300?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets minimum privacy and security standards for healthcare outfits. HIPAA covers healthcare outfits located in Texas, but they also must adhere with state legislation. Texas has some of the strictest laws in the United States as far as health data is concerned which are listed in Texas HB 300 (Texas House Bill 300).

Texas HB 300 was enacted by the Texas legislature in June 2011 and was signed into law by Texas Governor Rick Perry. The required compliance date for Texas HB 300 was September 1, 2012.

Texas HB 300 amended four laws in Texas: The Texas Health Code (Chapters 181 and 182), the Texas Business and Commerce Code (Sections 521 and 522), the Texas Government Code (Chapter 531), and the Texas Insurance Code (Chapter 602) and brought in tougher privacy protections for health data than HIPAA.

Who must Comply with Texas HB 300?

Compliance with Texas HB 300 is obligatory for all covered entities that are based in Texas or work with Texas residents. Covered entities under Texas HB 300 differ from covered entities as referred to in HIPAA.

Texas HB 300 expanded the HIPAA definition of covered entity (healthcare providers, health plans, and healthcare clearing houses) to include any entity or person that possesses, obtains, assembles, collects, analyzes, evaluates, stores, or transmits protected health information in any shape.

Texas HB 300 therefore applies to all healthcare outfits, including those that are not covered by HIPAA, and also lawyers, schools, universities, researchers, accountants, Internet service suppliers, IT service providers, government agencies, and people who maintain a website that collects, stores, or works with PHI.

Texas HB 300 Exemptions

The only outfits not required to adhere with Texas HB 300 are:

  • Not-for-profit outfits that pay for healthcare services or prescription drugs for indigent persons if the main business of the agency is not the provision of healthcare services or reimbursement for healthcare services.
  • Workers’ compensation insurance and any entity or person who acts in connection with the provision, support, administration, or coordination of benefits under a self-insured workers’ compensation scheme.
  • Employee benefit plans and entities or persons that act in connection with those plans
  • Entities or people that provide, administer, support, or coordinate benefits linked with compensation for victims of crime.
  • Processing of certain payment transactions by financial outfits and education records covered by the Family Educational Rights and Privacy Act of 1974.

Texas HB 300 and Electronic Health Records

Texas HB 300 brought in new standards for handling electronic health records. A covered entity is prohibited from using PHI for any reason other than the provision of treatment, payment for healthcare, or insurance reasons unless, prior to the sharing of PHI, the covered entity has obtained written authorization from an individual to share their PHI.

HIPAA requires covered outfits to provide patients and plan members with copies of their PHI on request and those requests must be honored within 30 days of the request being filed. Texas HB 300 requires covered entities to provide copies of PHI much more rapidly – Within 15 days of a written request being registered.

Texas HB 300 Training for Employees Who Handle PHI

All employees who must handle PHI or sensitive personal information (SPI), or are likely to encounter PHI, are required to be given formal privacy training within 60 days of starting employment. In contrast to HIPAA, which does not state how often additional training must be given, Texas HB 300 requires extra privacy training to be given at least every two years. Training sessions need to be tailored to the role and responsibilities of the worker. All training must be recorded and employees are required to sign to confirm that they have received the training.

What are the Texas HB 300 Fines for Noncompliance?

The fines for noncompliance with Texas HB 300 are severe. The Texas attorney general can issue civil monetary penalties to entities and individuals that fail to adhere with the legislation. State licenses can also be taken back in cases where an entity or individual has demonstrated continued noncompliance.

As with HIPAA, the fines for noncompliance with Texas HB 300 are divided into tiers:

Tier 1: Up to $5,000 per breach, per year, for violations that occur due to negligence

Tier 2: Up to $25,000 per violation, per year, for a knowing or intentional violation of the legislation

Tier 3: Up to $250,000 per violation, per year, for an intentional violation for financial profit

The highest financial penalty is $1.5 million per year in instances where there has been a pattern of noncompliance.

The level of the financial penalty is governed by the severity of the violation, whether there has been a history of noncompliance, the measures taken to address the violation, and whether harm has been caused as a result of the breach.

What is HIPAA?

HIPAA refers to the legislative act the ‘Health Insurance Portability and Accountability Act’ which was passed into law in the United States by President Bill Clinton’s administration on August 21, 1996.

In its original form, HIPAA was aimed at reforming the healthcare industry while also:

  1. Seeing to it that when employees were moving from one post to another in a different company they would retain healthcare coverage. This is what is referred to as Portability, the ‘P’ in HIPAA.
  2. Seeing to it that the security and confidentiality of health information is maintained. This is what is referred to a Accountability, the first ‘A’ in HIPAA.

HIPAA put in place a number of standards formulated to simplify healthcare transactions, with a special focus on electronic data transmission. Due to this HIPAA listed the use of specific code sets and identifiers.

Over the past 21 years, HIPAA has been evolved and introduced a number of pivotal amendments that healthcare outfits must follow to ensure the privacy of patients is protected, sensitive data is kept secure at all times, and should such a data breach occur, affected individuals are required to be made aware of this notified.

The most significant amendments of HIPAA were passed in in 2003, the introduction of the HIPAA Privacy Rule, and 2006, the introduction of the HIPAA Security Rule. The Privacy Rule introduced a range of provisions that limit the allowable uses and disclosures of ‘Protected Health Information’ or PHI. The Security Rule governs access to healthcare data and safeguards to prevent accidental or intentional sharing of PHI to unauthorized persons. The Security Rule also requires covered outfits to permanently destroy PHI when it is no longer needed.

Following the signing into law of the HITECH Act in 2009, the Breach Notification Rule has to be obeyed. This states that notifications MUST to be sent in the event of data breaches and extending HIPAA requirements to business associates. More HITECH requirements and other updates were brought in following the passing of the Omnibus Rule in 2013.

HIPAA ensures patients’ personal information and health data is protected at all times, whether it is at rest or in transit. HIPAA means patients can request and be given copies of their health data and that they be made aware when their protected health information is accessed or obtained by unauthorized persons.

Examples of HIPAA Violations by Nurses

HIPAA breaches by nurses often occur, even when every precaution is taken to comply with HIPAA Rules. While all HIPAA breaches can possibly result in disciplinary action, most employers would agree that accidental breaches will inevitably happen on occasion. In many instances, minor breaches of HIPAA Rules may not have negative consequences and can be handled with internally. Employers may decide to provide more training in some cases to make sure sure the requirements of HIPAA are fully understood.

If a nurse breaches HIPAA by mistake, it is vital that the incident is made known to the person responsible for HIPAA compliance in your group – the Privacy Officer, if your organization has appointed or assigned one – or a supervisor. The failure to report a small violation could have major consequences if the behavior responsible for the breach is allowed to continue and the situation gets worse.

Serious breaches of HIPAA Rules, even when committed without malicious reasons, are likely to result in disciplinary action, including termination and punishment by the board of nursing. Being fired for a HIPAA violation may not just mean loss of current employment and benefits. It can make it quite difficult for a nurse to find another job. HIPAA-covered bodies are unlikely to give a job to a nurse that has previously been fired for breaching HIPAA Rules.

Willful breaches of HIPAA Rules, such as theft of PHI for personal profit or use of PHI with intent to cause damage, can result in criminal penalties for HIPAA violations. HIPAA-covered bodies are likely to report such incidents to law enforcement agencies and investigations will be initiated. Complaints about HIPAA breaches submitted to the Office for Civil Rights (OCR) can be referred to the Department of Justice to pursue criminal fines, including fines and imprisonment. Criminal prosecutions are unusual, although theft of PHI for financial gain is likely to lead to10 years in jail.

No private cause exists in HIPAA. If a nurse breaches HIPAA, a patient cannot sue the nurse directly for a HIPAA breach. There may be a viable claim, in some cases, under state privacy laws.

Nurses HIPAA Violation Examples

The list of potential HIPAA violations by nurses is long so the most commonly experienced nurse HIPAA violations are listed below:

  • Obtaining the PHI of patients without proper cause and consent
  • Gossiping – talking about specific patients and sharing their health information to family, friends & co-workers
  • Sending PHI to anyone not authorized to have it
  • Taking PHI to a new employer
  • Illegally taking PHI for personal gain
  • Use of PHI to inflict damage
  • Improperly destroying of PHI – Discarding protected health information with regular rubbish
  • Placing PHI in a location where it can be accessed by unauthorized individuals
  • Sharing excessive PHI and breaching the HIPAA minimum necessary standard
  • Using the credentials of a co -worker to access EMRs/Sharing login credentials
  • Sharing PHI on social media networks (See below)

Nurses Who Breach HIPAA via Social Media

Sharing protected health information on social media platforms should be further described. There have been many cases in recent years of nurses who breach HIPAA through social media.

Publishing any protected health information on social media platforms, even in closed Facebook groups, is a serious HIPAA violation. The same applies to posting PHI – including photographs and videos of patients – via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless previous authorization has been given by a patient, in writing, nurses should not post photographs and videos of patients (or any PHI) on social media websites. The National Council of State Boards of Nursing (NCSBN) has released a useful guide for nurses on the use of social media (click here to view it).

There have been a number of examples recently involving nurses taking photographs and videos of patients in compromising positions, saving abuse of patients in nursing homes, and taking compromising or photographs and sharing them with friends over social media websites.

There has been a lot of publicity in relation to the practice, following the publication of a report on the extent to which this is happening by ProPublica (Summarized here).

Is Google Drive HIPAA Compliant?

Google Drive can beem deemed both compliant and non-compliant with HIPAA. This is due to the fact that HIPAA compliance is less about technology and more about how technology is deployed. Even a software solution or cloud service that is referred to as HIPAA-compliant can easily be used in a manner that breaks HIPAA Rules.

G Suite – previously known as Google Apps, of which Google Drive is a part – does support HIPAA compliance. The service does not break HIPAA Rules provided HIPAA Rules are adhered to by users.

G Suite uses all of the necessary controls to make it a HIPAA-compliant service and can therefore be deployed by HIPAA-covered entities to share PHI (in line with HIPAA Rules), provided the account is set up correctly and standard security practices are used.

The use of any software or cloud platform along with protected health information requires the vendor of the service to complete a HIPAA-compliant business associate agreement (BAA) prior to the service being deployed with any PHI. Google offers a BAA for Google Drive (including Docs, Sheets, Slides, and Forms) and other G Suite apps for paid subscribers only.

Before deploying any Google service with PHI, it is vital for a covered entity to review, complete and accept the business associate agreement (BAA) with Google. It should be remembered that PHI can only be shared or used via a Google service that is specifically included in the BAA. The BAA does not include any third-party apps that are used along with G Suite. These must be avoided unless a different BAA is obtained from the provider/developer of that application.

The BAA does not mean a HIPAA covered entity is then free to use the service with PHI. Google will accept no blame for any misconfiguration of G Suite. It is the responsibility of the covered entity to make sure the services are configured properly.

Covered entities should remember that Google encrypts all data uploaded to Google Drive, but encryption is only concerned to the server side. If files are installed or synced, additional controls will be necessary to safeguard data on devices. HIPAA-compliant syncing is outside the scope of this article and it is recommended syncing is turned off.

To avoid breaking HIPAA rules, covered entities should:

  • Complete a BAA from Google before deploying G Suite with PHI
  • Set access controls carefully
  • Turn on 2-factor authentication for access
  • Implement strong passwords
  • Disable file syncing
  • Turn off link sharing
  • Limit sharing of files outside the domain (Google offers advice if external access is necessary
  • Make documents private
  • Turn off third-party apps and add-ons
  • Switch off offline storage for Google Drive
  • Disallow access to apps and add-ons
  • Audit access and account logs and shared file reports on a constant basis
  • Allow ‘manage alerts’ to ensure the administrator is made aware of any changes to settings
  • Back-up all data placed on Google Drive
  • See to it that staff are trained on the use of Google Drive and other G Suite apps
  • Never include PHI in the titles of files

To assist HIPAA-covered groups use G Suite and Google Drive properly, Google has published and made available a Guide for HIPAA Compliance with G Suite to assist with implementation.

HIPAA and Social Media

HIPAA was introduced prior to social media platforms like Facebook being launched. Due to this there are no HIPAA rules that refer spefically to social media rules.

However, there are HIPAA laws and standards that apply to social media use by healthcare outfits and their staff. Healthcare outfits must therefore create a HIPAA social media policy to reduce the risk of privacy breaches.

Social media channels allow healthcare outfits to communicate with patients and get them more involved in their own healthcare management. Healthcare outfits can quickly and easily interact via messaging or provide information about new services. Healthcare providers can attract new subscribers using social media websites. However, there is serious potential for HIPAA Rules and patient privacy to be violated via social media platforms.

HIPAA and Social Media

The main rule of using social media in healthcare is to never spread protected health information through social media platforms.

The HIPAA Privacy Rule does not permit the use of PHI on social media networks. It makes it illegal. This includes all copy regarding specific patients as well as images or videos that could result in a patient being identified. PHI can only be included in published social media posts if a patient has given their expressed consent, in writing, to allow their PHI to be used and then only for the purpose specifically referred to in the consent form.

Social media platforms can be used for posting health tips, details of events, new medical research, biographies of employees, and for marketing reasons, provided no PHI is included in the posts.

Staff Must be Guided on HIPAA Social Media Rules

In 2017, 71% of all Internet browsers used social media websites. The popularity of social media networks linked with the simplicity of sharing information means HIPAA training should include the use of social media. If staff are not specifically trained on HIPAA social media rules it is highly probable that breaches will happen.

Training on HIPAA should be given to all employees prior to them beginning work for the company. Failing that it should happen as soon as is possible following appointment. Refresher training should also be conducted at least once annually to ensure HIPAA social media rules are not disregarded.

Typical Social Media HIPAA Violations

  • Sharing of images and videos of patients without written permission
  • Sharing gossip about patients
  • Sharing any information that could allow a person to be identified
  • Posting photographs or images taken inside a healthcare facility in which patients or PHI can be seen
  • Posting of photos, videos, or text on social media websites within a private group

Guidelines for HIPAA Social Media

Listed here are some standard HIPAA social media guidelines to follow in your outfit, together with links to further information to help ensure you adhere with HIPAA Rules.

  • Create clear policies covering social media use and ensure all employees are knowledgeable of how HIPAA relates to social media platforms
  • Guide all staff on acceptable social media use as part of HIPAA training and conduct refresher training sessions yearly
  • Supply examples to staff on what is acceptable – and what is not – to improve comprehension
  • Make staff aware of the possible penalties for social media HIPAA violations – termination, loss of license, and criminal penalties
  • Ensure all new uses of social media sites are given authorization by your compliance department
  • Review and refresh your policies on social media annually
  • Create policies and procedures on use of social media for marketing, including standardizing how marketing takes place on social media accounts
  • Create a policy that requires personal and corporate accounts to be totally unlinked
  • Formulate a policy that requires all social media posts to be approved by your legal or compliance department prior to sharing
  • Review your outfit’s social media accounts and communications and implement controls that can flag possible HIPAA violations
  • Manage a record of social media posts using your outfit’s official accounts that preserves posts, edits, and the style of social media messages
  • Do not participate in discussions with patients who have disclosed PHI on social media accounts.
  • Tell your staff to report any potential HIPAA violations
  • See to it social media accounts are included in your organization’s risk assessments
  • Ensure proper access controls are configured to stop unauthorized use of corporate social media accounts
  • Moderate all comments

The Department of Health and Human Services’ Office for Civil Rights has released guidance on HIPAA social media regulations, listing the specific parts of HIPAA that apply to social media networks. This can be viewed on the HHS website.

Is Office 365 HIPAA Compliant?

Office 365 is a range of subscription products created by Microsoft that includes Word, Excel, PowerPoint, OneNote, Outlook, Publisher, and Access.

Microsoft will sign a business associate agreement (BAA) with HIPAA covered entities for Office 365 and Microsoft Dynamics CRM Online, if it is bought through Volume Licensing Programs or the Dynamics CRM Online Portal. The Microsoft BAA also takes into account the use of the Microsoft Azure cloud platform.

Microsoft does not require a BAA be obtained prior to use of Office 365, as the BAA is automatically accessible for customers with an online service contract. However, HIPAA covered entities should obtain a BAA before they deploy Office 365 in conjunction with any electronic protected health information (ePHI). They should also provide an administrative contact. In the event of a security breach, the administrative contact will be alerted to a breach by Microsoft.

While there are firms that provide HIPAA certification to show that a company or product complies with HIPAA Rules, there is no official certification recognized by the HHS’ Office for Civil Rights or other federal bodies. However, Microsoft has been subjected to independent audits under ISO 27001 which incorporate assessments of security practices recommended by the HHS. Office 365 has been verified as having all required privacy and security controls to comply with HIPAA Rules.

Office 365 Security Measures

All data installed to or saved on Microsoft servers is protected by encryption and any data shared outside of Microsoft facilities is similarly encrypted.  However, packet headers and message headers are not encrypted.

Once ePHI is not included into the subject line of emails, the names of files attached to emails, or is used in the to and from fields of emails, email can be used safely.

Microsoft Office 365 meets HIPAA auditing requirements and logs of access to stored data are saved. Reports on access logs can be obtained from Microsoft when asked for.

Microsoft offers 2-factor authentication to stop Office 365 and Outlook email accounts from being viewed if a password is compromised and an unfamiliar device attempts to log into an account.

Is Microsoft Office 365 HIPAA Compliant?

So, is Microsoft Office 365 compliant with HIPAA regulations? Provided a HIPAA-covered entity has completed a business associate agreement with Microsoft, Office 365 can be used in a way compliant with HIPAA Rules.

While all proper privacy and security controls have been deployed by Microsoft to ensure that Office 365 can be used by HIPAA-covered entities while also being compliant with HIPAA and the HITECH Act, use of Office 365 does not guarantee compliance, even if a BAA has been completed with Microsoft.

It is the charge of covered entities to ensure access controls are set up properly, administrator access tracking is switched on, Microsoft Dynamics CRM Online for supported devices is switched off, access control reports are obtained and checked constantly, and all users are shown how to use Office 365 in a way that is compliant with HIPAA Rules.

Why was HIPAA Created?

Why was HIPAA created? HIPAA is an acronym of the Health Insurance Portability and Accountability Act – a legislative act that was enacted in the United States on August 21, 1996.

Initially, HIPAA was brought in to reform the healthcare sector and had two main focuses: To ensure that when workers were between jobs, they would still have healthcare coverage – The P in HIPAA – Portability. The second focus was to ensure the security and confidentiality of health data – the first A in HIPAA – Accountability.

HIPAA includes standards that were aimed at making healthcare transactions easier in relation to electronic data transmission. These included the use of specific code sets and identifiers.

Over the past 20 years, HIPAA has changed and now includes many new rules that healthcare groups must adhere to so as to ensure the privacy of patients is protected, sensitive data is kept secure at all times, and in the event of a data breach, affected individuals are alerted.

Major amendments of HIPAA Rules took place in 2003 with the introduction of the HIPAA Privacy Rule and in 2006 with the passing of the HIPAA Security Rule. The Privacy Rule had a number of provisions that restrict the allowable uses and sharing of ‘Protected Health Information’ or PHI. The Security Rule includes access to healthcare data and safeguards to stop accidental or intentional sharing of PHI to unauthorized individuals. The Security Rule also requires covered entities to permanently destroy PHI when it is no longer necessary.

After the passing of the HITECH Act in 2009, the Breach Notification Rule was passed, requiring alerts to be sent after data breaches and extending HIPAA requirements to business associates. Additional HITECH requirements and other updates were passed with with the Omnibus Rule in 2013.

So, what does HIPAA mean for individuals? HIPAA means patients’ personal information and health data is always safe, whether at rest or on the move. HIPAA means patients can get copies of their health data when they wish to, and that they will be alerted if their protected health information is viewed or obtained by unauthorized people.

Is Skype HIPAA Compliant?

Text messaging platforms such as Skype are a useful way of quickly communicating data, but is Skype HIPAA be termed compliant? Can Skype be deployed for sending text messages including electronic protected health information (ePHI) without risking breaking HIPAA Rules?

There is currently some discussion surrounding Skype and HIPAA compliance. Skype includes security features to stop unauthorized access of information transmitted via the platform and messages are encrypted. But does Skype adhere with all requirements of HIPAA Rules?

This article will try to answer the question, Is Skype HIPAA compliant?

Is Skype a Business Associate?

Is Skype a HIPAA business associate? That is a matter that has been much discussed. Skype could be thought of as an exception under the Conduit Rule – being merely a conduit through which data flows. If that is the case, a business associate agreement would not be a requirement for compliance.

However, a business associate agreement is a legal requirement if a vendor creates, receives, maintains, or transmits PHI on behalf of a HIPAA-covered entity or one of its business associates. Skype does not develop PHI, but it does ‘receive’ and transmit PHI. That said, messages are encrypted and are not accessed by Microsoft.  But can Microsoft view the contents of messages? Can Microsoft unlock encryption?

Microsoft does comply with law enforcement agency requests and will supply information to law enforcement. Information is only shared when required to so do by law, if a subpoena or court order is applied.

For that to take place, data must first be decrypted. It is unclear whether supplying information to law enforcement, and being able to decrypt messages, would mean Skype would meet the requirements of the conduit exception. Skype is also not a common carrier, it is software-as-service. While this has been discussed, it is our opinion that Skype is classed as a business associate and a business associate agreement is obligatory.

Microsoft will complete a HIPAA-compliant business associate agreement with covered entities for Office 365, and Skype for Business MAY be included in that agreement. If a business associate agreement has been completed with Microsoft, covered entities must check it carefully to make sure if it does include Skype for Business. Microsoft has previously outlined that not all BAAs are the same.

Skype and HIPAA Compliance: Encryption, Access, and Audit Controls

HIPAA does not outright require the use of encryption for ePHI, although encryption must be considered. If encryption is not in place, an alternative, equivalent safeguard must be implemented in its place. With Skype, messages are encrypted using AES 256-bit encryption; therefore, this aspect of HIPAA compliance is adhered to.

However, Skype does not necessarily include the proper controls for backing up of messages (and ePHI) communicated over the platform, and neither does it maintain a HIPAA-compliant audit trail. Skype for Business can be made HIPAA compliant, if the Enterprise E3 or E5 package is purchased. These include the ability to set up an archive that stores all communications. Other versions would not satisfy HIPAA Rules.

Is Skype HIPAA Compliant?

Skype HIPAA is not HIPAA compliant. However, Skype for Business can be HIPAA compliant if the Enterprise E3 or E5 package is purchased. In the case of the latter, it is up to the covered entity to ensure Skype is HIPAA compliant. That means a business associate agreement must be completed with Microsoft prior to using Skype for Business to send any ePHI. Skype must also be configured with great care. In order to be HIPAA compliant Skype must maintain an audit trail and all messages must be backed up securely and all communications saved.

Access controls must also be applied on all devices that use Skype to eliminate unauthorized disclosures of ePHI. Controls must also be configured to stop any ePHI from being sent outside the group. Covered entities must also receive satisfactory assurances that in the event of a breach, they will be alerted by Microsoft.

Even with a BAA and the appropriate package, there is still huge potential for HIPAA Rules to be breached using Skype for Business. Since there are many secure text messaging options available to covered entities, including platforms that have been built specifically for use in the healthcare sector, they may prove to be a better option.

Is Dropbox HIPAA Compliant?

Dropbox is a widely-used file hosting service, employed by many as a way of sharing files, but is it HIPAA compliant?

Dropbox states that it now supports HIPAA and HITECH Act compliance but that does not mean Dropbox is outright HIPAA compliant. No software or file sharing platform can be fully HIPAA compliant as it depends on how the software or platform is used by groups and individuals. even so, healthcare organizations can use Dropbox to share or save files that include protected health information without breaching HIPAA Rules.

The Health Insurance Portability and Accountability Act states that covered entities must sign a business associate agreement (BAA) with an entity before any protected health information (PHI) is handed over. Dropbox is designated as a business associate so a BAA is obligatory.

Dropbox will complete a business associate agreement with HIPAA-covered groups. I order to avoid a HIPAA violation, the BAA must be signed before any file that includes PHI is sent to a Dropbox account. A BAA can be signed electronically using the Account page of the Admin Console.

Dropbox permits third party apps to be employed, although it is important to note that they are not included in the BAA. If third party apps are employed with a Dropbox account, covered entities need to consider those apps separately before they are used.

HIPAA states that healthcare organizations must implement safeguards to preserve the confidentiality, integrity and availability of PHI. It is therefore important to set up a Dropbox account in the correct fashion. Even with a completed BAA, it is possible to break HIPAA Rules when using Dropbox.

To ensure that you don’t break HIPAA rules, sharing permissions should be set up to ensure files containing PHI can only be reviewed by authorized individuals. Sharing permissions can be set to stop PHI from being shared with any individual external to a team. Two-step verification should be configured as an extra safeguard against unauthorized access.

It should not be possible for any files that include PHI to be completely deleted. Administrators can turn off permanent deletions using the Administration Console. That will mean that files cannot be permanently deleted as long as the account is active.

It is also important for Dropbox accounts to be reviewed so that PHI is not being accessed by unauthorized people. Administrators should erase individuals when their role changes and they no longer need access to PHI or when they leave the group. All linked devices should also be regularly reviewed. Dropbox will allow linked devices to have Dropbox content remotely deleted. That should be completed when a user leaves the organization of if a device gores missing or is stolen.

Dropbox captures all user activity. Reports can be produced to show who has sent content and to obtain information on authentication and the activities of all account administrators. Those reports should be regularly looked over.

Dropbox will produce a mapping of its internal practices on request and offers a third-party assurance report that details the controls that the firm has used to help keep files safe. Those documents can be obtained iva members of the account management team.

Dropbox is complete secure and controls have been added to prevent unauthorized access, but ultimately HIPAA compliance depends on those using it. If a BAA is obtained and the account is correctly set up. Dropbox can be used by healthcare bodies to send PHI with authorized individuals without breaking HIPAA Rules.